Vibe coding gave everyone superpowers. Nobody mentioned the kryptonite.

The rise of tools like Lovable, Bolt, and v0 gave people superpowers. Claude Code is a whole different league, and most people aren't ready for that kind of power. And according to the numbers, even those who didn't take warnings from developers and security specialists seriously are finally starting to realize it after the hype. When you build an application without a developer in the loop, you're missing the filter and the context. That still holds true, at least for now.

Over the past 14 days, I've personally validated several web apps at the request of colleagues and friends. Apps that were built in good faith and with enthusiasm. Some of them genuinely solve niche problems inside organizations or among groups of enthusiasts. Some were already in production.

The vast majority had critical vulnerabilities, and on several occasions I was able to both read from and write to the database. There's no point talking about the other vulnerabilities, let alone the actual execution (like the quality of the user flow).

And it's not just my experience. Escape.tech scanned 5,600 vibe-coded apps and found over 2,000 critical vulnerabilities and 400 exposed secrets, including API keys and tokens. Veracode reported in 2025 that roughly 45% of AI-generated code contains at least one security flaw.

Building software has never been easy, even as new tools kept emerging. It's genuinely much easier now, but that also makes it more dangerous. It's great to see the enthusiasm from non-developers and especially from people outside of tech. But the software lifecycle is long, complex, and takes more than just syntax.

But so that this reflection isn't completely useless, and so I'm not killing the vibe, here's a list of selected things that should interest everyone at least a little: